Issue Type: Performance Improvement Created: 2009-01-09T07:29:16.000+0000 Last Updated: 2009-02-06T09:42:56.000+0000 Status: Resolved Fix version(s): - 1.8.0 (30/Apr/09)
Reporter: Jan Gorman (polygraf) Assignee: Thomas Weidner (thomas) Tags: - Zend_Date
Related issues: Attachments:
The use of Date::isDate() can potentially lead to a DOS attack on a site where dates are validated using Zend_Validate_Date, consider the following example:
$formElement->addValidator( new Zend_Validate_Date( 'DD.MM.YYYY', new Zend_Locale( 'de_DE' ) );
User Input such as 12.12.123123123 (basically anything really far in the future) will send CPU usage to 100%
Maybe the function should have some kind of sensible bounds built in or at least the documentation should make users aware of this.
Posted by Dolf Schimmel (Freeaqingme) (freak) on 2009-01-09T15:47:49.000+0000
Could be just me, but doesn't this go for all resource-intensive 'scripts' (sorry Thomas)? If more resources than available are requested on purpose, a server is considered under attack. I can't see how this specifically relates to Zend_Date (or the Zend Framework in general).
Posted by Thomas Weidner (thomas) on 2009-02-06T09:42:56.000+0000
Fixed with r13997
Have you found an issue?
See the Overview section for more details.